Re: Draft: Cipher Suite Selection for HTTP/2 Negotiation over TLS 1.2
Martin Thomson <mt@lowentropy.net> Tue, 26 May 2026 22:06 UTC
Received: by mail2.ietf.org (Postfix) id 8D406F591BA4; Tue, 26 May 2026 15:06:33 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 89D77F591BA3 for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 26 May 2026 15:06:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779833193; bh=14jO4DjzamQKRxleIvf8wUZHYCIbP7gQjyNbEWqKYVA=; h=Resent-Date:Date:From:To:In-Reply-To:References:Subject: Resent-From:Resent-Sender:List-Id:List-Help:List-Post: List-Unsubscribe; b=ssdvnpsSxveDwdKtfpYCqMkJLNm2AWXUp5DXDKKvtGJy2RtOjbhdov74q7HcpGimY FCICj1wyNWH3AMW41UWpgumemy501nWTNDKGMQshw/0Y5QUaEr7YBLWL96XxRyUeaT mSpbLtoLTh6G6umhNlNWMCoMu7F6ZPucUt0sEoUM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="GgsOnoCT"; dkim=pass (2048-bit key) header.d=w3.org header.b="pIIONXND"; dkim=pass (2048-bit key) header.d=lowentropy.net header.b="CL8zkJdO"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="tLJqKTyp"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rm4Y6tA9F6RF for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 26 May 2026 15:06:33 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 27C03F591AD2 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 26 May 2026 15:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:References:In-Reply-To:Message-Id:To:From:Date: MIME-Version:Cc:Reply-To; bh=2BYdSwyTuRQphhtxW+EXpEyT1NWVBV1j8mGtNTC+BaQ=; b= GgsOnoCT0jyOIztjO6K6Ao8ywfFrDGWkwDG4CQcweGuuICaW3URSq1o1V5+Tub8z+sauOIwxnmpSG Obn7tvjGkQXvCVesEqpstYtUCiFTnczhKVHiMZ3Dc+oOCO56QE/E7vTEGUMhn3DOZ8+iw3pnmqC1F gGEi3kf7XJG2n7k53ZFlkqcdD3QgcUcwZiK99P8KrUhA2rfTOCePWg7qYV4eVpx1QeWPlCFbn4PCa gEBuXyaxqXxUWfayQZvsPiw9Uy4EenKly+zM3cogSYPg2CKm0TwDdkqZbg0oWkMzcozHV9PON8RBH 2+PBUFESSSnU7esZVPZCwb5p0n72Kg8rTw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1wRzsl-009l36-2z for ietf-http-wg-dist@listhub.w3.org; Tue, 26 May 2026 22:04:15 +0000
Resent-Date: Tue, 26 May 2026 22:04:15 +0000
Resent-Message-Id: <E1wRzsl-009l36-2z@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mt@lowentropy.net>) id 1wRzsj-009l2J-0F for ietf-http-wg@listhub.w3.internal; Tue, 26 May 2026 22:04:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Subject:References:In-Reply-To:Message-Id:To:From:Date: MIME-Version:Cc:Reply-To; bh=2BYdSwyTuRQphhtxW+EXpEyT1NWVBV1j8mGtNTC+BaQ=; t=1779833053; x=1780697053; b=pIIONXNDQfTNdl2wc1/eoiLhvisEv5SexFlFA6Mk+CrDvYE SRkpbhl0HASIyK7D4cfEgW7pgii+RFtYITphgNOHcD7iwwHGJvbOEgsuQYyx3pxDs6Lu/VCrA977O 1LpELBSa7KB0RIKqAcK+COcH+Ldt6NgGJPUzQDzZR1FbST0b2NSObYq3CRoQ2Ei/7XedCUCBWt2V9 kmHuZQDC4WrDZhQX1bYWOs4bw8wotg/x8dVeRbQmMz++qNLCesJoKyB2UvWlBiG29xTHc2nRk+oQ8 y6nL89mTgrLMketEPMExSqf6uE9wLOxxkE6aUyIVAFLDdi/GTNW9ji0HGUMEDYHg==;
Received-SPF: pass (pan.w3.org: domain of lowentropy.net designates 103.168.172.157 as permitted sender) client-ip=103.168.172.157; envelope-from=mt@lowentropy.net; helo=fhigh-a6-smtp.messagingengine.com;
Received: from fhigh-a6-smtp.messagingengine.com ([103.168.172.157]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mt@lowentropy.net>) id 1wRzsi-003TZT-0x for ietf-http-wg@w3.org; Tue, 26 May 2026 22:04:12 +0000
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfhigh.phl.internal (Postfix) with ESMTP id B5051140012C for <ietf-http-wg@w3.org>; Tue, 26 May 2026 18:04:08 -0400 (EDT)
Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-04.internal (MEProxy); Tue, 26 May 2026 18:04:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1779833048; x=1779919448; bh=2BYdSwyTuRQphhtxW+EXpEyT1NWVBV1j8mGtNTC+BaQ=; b= CL8zkJdOy44Y5s4/4AF/p2IwJe+fwdnlM6OLm7fYq2THdNlVQ3sftN3/zexcN7vh u1sZoWYLl25PVSAbNveKXhhJw3pqfHuxA2f3AHvSgdyFLE8ebEgUTfFX2BteJR3I KQ/GpBFnbA0GVnac4hu8mCcohNP4/4r1oI5OI6v+ZqL6a2RR5DbG+Do6nX14Ncml +yENoYauitpa08dYlw+9uXpR197BAwgzJ2QC2bQdlg4345JDNJZlC8Y+VxaLDaYP EDaqVz9hIpvq+UvuoBTPBZqBQlTTOEQy5qad/ueYOQYMv6MUXEjgkexXXN21Zb5y x8Hkc/teWNHPjJ8k5xCbeg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1779833048; x=1779919448; bh=2 BYdSwyTuRQphhtxW+EXpEyT1NWVBV1j8mGtNTC+BaQ=; b=tLJqKTypmlKSvf2Ne 6Mbu/8dHEDNeRw93SbmY1jVH9CDYMp6dfm6cIO+s2H0IPEd9o2eyPMWIMlt6Iu/6 DEKkL87w3IR15fSPyyMYEllQBl85qf7czLRIHgOzzfVW75kHcB7ApK9IvSV6jBGs MKD5lA0iCVYmdc+xA+iDFQW+lu+5ZNq5ezmkVCwFNG9BgYsHn1i+y/DnwzOh615p AqRdBFqggCDikfwpjRwJuQ2eg53W9HA2m7F2qTx+g05S5zUP9X0qL+vbCotJpkD4 /Vkedbf2p84dv4OwcxfIpakkovFxErDwAaK8p0k7EMi3924Pft442OtcEL4C5zAA BIRUA==
X-ME-Sender: <xms:2BgWairfrOXEkIGXhuHSJZtW3ZS9eGOqu6pgXAL_lOuubIvuYxFxnw> <xme:2BgWareUYR2DmtaHpVntLC0OEmF31euRKIVNssQ-umwWa-rHCT8wjri7yyyjlr4jh DyRk67McH6NNVtsaLbg5-ghekcanMkyYehZffFdGfD3lAZa-wlfF6tG>
X-ME-Proxy-Cause: dmFkZTGr7LmuGkXiwWOFrRfyXrR45+iJtz91mLcoHsAtKxWFKU0jnstzJk0AfYzGDvofCh Gp0ikBjgiLNnQB40YhhLFtxAvnN59XeM8GZsfZBD98YGBLnP0YFrCh1C2xyduJZCz198Io gadfqRCSDwYH1biAz2TsPEdGc4deGUoP6vzUFjzkKDg+QkPaYIoe2oo3wHhXEAwJKDcj9/ gb81+cVfxezLR2emn83l0PWm1DhLtWEhrcNeNTakJrHE+5y7Y9K1/B28TkfUeuIajSG9S/ oOPUe2v368e2ZWHro1kTThbYEGhCLSI7G4PELoT1anC1HoHyJPKl11Cl0h0/tNFH1GaWQz sdXS48yCflYagbVX/7hSDRvsGKdP506DFGybXm5Eg83xNfzmW4UZSfV9a5yVRSNgJankwB L+1nQvf1T3XUeoE23M9/kfgkH11RLYY1ba1gUI/Zt/l9vxPDa1Hy+wKoyranFfEedlUk2/ 8XENUep3U6TQDU9WpNhUmadtz8akbvyUZlC5nt8XY4FqsIPCn2bfXmnREAd72H8d0VJa2I 4+b88tPAjAVUN0YE6hv5lsHFcdru3dQCzYHd429F8TKzVxMUrPgwLJC+UWzdC0EPur2cnW m0qTplrVBV3Rlk+DPMU9qa7NFnjCtUd+fGVJuPc9ksSMNrXXpNuQFsARhAJg
X-ME-Proxy: <xmx:2BgWaoOlUz3DqqSsfcjN_G7nCTcGhlDV3giNF4mCBYPWXvcg4ENUyA> <xmx:2BgWal4_tRgkO4OU5dFRoDadqvfbZkvViWeFwu9J5z75ZtI29fRXLQ> <xmx:2BgWak7a5MY1JTICCpf5OCFeaPjXf8nTKylRdz2Pi49ZzD4M51I_cQ> <xmx:2BgWal2I8JcUvmo7AbT4mEVnwP6paHp3dnIjoH2ClGLcMlkFfOzOQw> <xmx:2BgWajSDCOowRQPu09LvIfrhZ5s7A5ciYHk0fL1XrBf_GvO2M82z1_qJ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 63438780075; Tue, 26 May 2026 18:04:08 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Wed, 27 May 2026 08:03:42 +1000
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Message-Id: <145f019a-dc9c-4473-b669-391279eba235@betaapp.fastmail.com>
In-Reply-To: <92faerTVr6Z9GZSZ9pkxvbXvohA2NKCN8Qqx2LDWnWRXFR5IvPzlJQasqJv_IOLKl6fzJPQXyCzqu9wW65_mec-2SBujyvNlstn7ibju3Xc=@egl.sh>
References: <92faerTVr6Z9GZSZ9pkxvbXvohA2NKCN8Qqx2LDWnWRXFR5IvPzlJQasqJv_IOLKl6fzJPQXyCzqu9wW65_mec-2SBujyvNlstn7ibju3Xc=@egl.sh>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1wRzsi-003TZT-0x 44587dc01ed7cd18652c0d67123218f5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Draft: Cipher Suite Selection for HTTP/2 Negotiation over TLS 1.2
Archived-At: <https://www.w3.org/mid/145f019a-dc9c-4473-b669-391279eba235@betaapp.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/53865
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
This isn't needed. Reasons: 1. Every HTTP/2 implementation has solved this problem already. 2. The cipher suites that are forbidden in RFC 9113 are very dead. Any server stack that might support those ciphers will definitely not prefer them over cipher suites that are acceptable to HTTP/2. 3. This isn't a SHOULD. It's an implicit MUST in RFC 9113 already. Using SHOULD here is weaker than what RFC 9113 already says. After all, if you have a SHOULD, you are obligated to provide some guidance for the circumstances under which someone might choose not to follow the recommendation. https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/ On Sat, May 23, 2026, at 23:32, Egor Gudzenko wrote: > Hi, > > I've submitted an individual draft addressing the failure mode noted in > Section 9.2.2 of RFC 9113, where HTTP/2 may be negotiated with a > prohibited cipher suite. > > https://datatracker.ietf.org/doc/draft-gudzenko-httpbis-h2-cipher-selection/ > > The draft adds a single SHOULD-level procedure: when an h2-compatible > cipher suite is available in the negotiation, the server should prefer > it. It doesn't change anything normative, and the only subject of this > draft is to fill a normative gap that are identified in Section 9.2.2 > but not described how the server should behave in an ideal world. > > I filed it as Standards Track with updates: 9113, since the gap it > closes is in normative text and a SHOULD-level addition doesn't fit BCP > or Informational cleanly. That said, I'm genuinely uncertain whether > this warrants a standalone update to 9113 or whether WG sees a better > path. > > Any feedback welcome. > > With regards, > Egor Gudzenko > Attachments: > * publickey - egor@egl.sh - 0xAE5C7632.asc > * signature.asc
- Draft: Cipher Suite Selection for HTTP/2 Negotiat… Egor Gudzenko
- Re: Draft: Cipher Suite Selection for HTTP/2 Nego… Martin Thomson